15.7 Privacy Issues Connected to Accept Headers

15.7 Privacy Issues Connected to Accept Headers

Accept request-headers can reveal information about the user to all
servers which are accessed. The Accept-Language header in particular
can reveal information the user would consider to be of a private
nature, because the understanding of particular languages is often
strongly correlated to the membership of a particular ethnic group.
User agents which offer the option to configure the contents of an
Accept-Language header to be sent in every request are strongly
encouraged to let the configuration process include a message which
makes the user aware of the loss of privacy involved.

An approach that limits the loss of privacy would be for a user agent
to omit the sending of Accept-Language headers by default, and to ask
the user whether it should start sending Accept-Language headers to a
server if it detects, by looking for any Vary response-header fields
generated by the server, that such sending could improve the quality
of service.

Elaborate user-customized accept header fields sent in every request,
in particular if these include quality values, can be used by servers
as relatively reliable and long-lived user identifiers. Such user
identifiers would allow content providers to do click-trail tracking,
and would allow collaborating content providers to match cross-server
click-trails or form submissions of individual users. Note that for
many users not behind a proxy, the network address of the host
running the user agent will also serve as a long-lived user
identifier. In environments where proxies are used to enhance
privacy, user agents should be conservative in offering accept header
configuration options to end users. As an extreme privacy measure,
proxies could filter the accept headers in relayed requests. General
purpose user agents which provide a high degree of header
configurability should warn users about the loss of privacy which can
be involved.